Max login attempts per ip address and reverse DNS lookup

cncjerry

posted Aug 24 '22 at 6:54 pm

1) Is there an easy way to blacklist an IP address after for instance, 4 invalid login attempts?

2) a long, long time ago, I thought I heard mercury would have reverse DNS lookup. I don't see it in 4.90.

Thanks for a great product for my one user email server. I think I've been running somewhat problem free for over 20yrs.

Jerry

1) Is there an easy way to blacklist an IP address after for instance, 4 invalid login attempts? 2) a long, long time ago, I thought I heard mercury would have reverse DNS lookup. I don't see it in 4.90. Thanks for a great product for my one user email server. I think I've been running somewhat problem free for over 20yrs. Jerry

PaulW

posted Aug 24 '22 at 10:10 pm

1) You don't say what sort of login attempts these are, but assuming they are authentication attempts in MercuryS: have you tried setting 'Simplified Phishing Protection' in the compliance tab?

2) Yes, that would be a useful addition, and I am also looking forward to seeing that smile

paul

1) You don't say what sort of login attempts these are, but assuming they are authentication attempts in MercuryS: have you tried setting 'Simplified Phishing Protection' in the compliance tab? 2) Yes, that would be a useful addition, and I am also looking forward to seeing that ;) paul

cncjerry

posted Aug 24 '22 at 10:32 pm

I saw the phishing but it says it locks the account for 30 minutes. At that rate I would be locked all day unless there is an authorized way around the lock.

Yes, they are login/password phishing attempts.

I saw the phishing but it says it locks the account for 30 minutes. At that rate I would be locked all day unless there is an authorized way around the lock. Yes, they are login/password phishing attempts.

Brian Fluet

posted Aug 25 '22 at 1:28 pm

I have been away from Mercury for awhile but I remember this as a lock per offending IP address. When you set this, keep it in mind when configuring devices for access. An error in credentials will trigger the 30 minute lockout.

PaulW

posted Aug 26 '22 at 5:11 pm

I saw the phishing but it says it locks the account for 30 minutes. At that rate I would be locked all day unless there is an authorized way around the lock.

Are you using any blocklist checks such as Spamhaus?

> I saw the phishing but it says it locks the account for 30 minutes. At that rate I would be locked all day unless there is an authorized way around the lock. Are you using any blocklist checks such as Spamhaus?

edited Aug 26 '22 at 5:12 pm

cncjerry

posted Aug 26 '22 at 5:35 pm

Yes, I have several blacklist sites but get very, very few hits on spamhaus, barracuda, etc. I haven't seen an address rejected by those sites in quite a while.

PaulW

posted Aug 26 '22 at 9:27 pm

I put any attempted failed auth attempts on an ACL blacklist, but that isn't very practical if you getting a lot from different IP addresses.

My best advice is to ensure all your usernames and passwords are long and obscure - that reduces the chances of them being broken by the usual automated login attempts.

I put any attempted failed auth attempts on an ACL blacklist, but that isn't very practical if you getting a lot from different IP addresses. My best advice is to ensure all your usernames and passwords are long and obscure - that reduces the chances of them being broken by the usual automated login attempts.

cncjerry

posted Aug 28 '22 at 6:18 am

Lastly, with regards to the temporary block, is there a way to lengthen it or even make the block permanent when triggered in the transaction filter? I looked in the ini file and didn't see anything.

I think my passwords are long enough and obscure, I also don't use them on any other site.

Thanks for the pointers. The block on the ehlo [127.0.0.1] had a very large impact on my problem.

Jerry

Lastly, with regards to the temporary block, is there a way to lengthen it or even make the block permanent when triggered in the transaction filter? I looked in the ini file and didn't see anything. I think my passwords are long enough and obscure, I also don't use them on any other site. Thanks for the pointers. The block on the ehlo [127.0.0.1] had a very large impact on my problem. Jerry

cncjerry

posted Aug 28 '22 at 6:18 am

Lastly, with regards to the temporary block, is there a way to lengthen it or even make the block permanent when triggered in the transaction filter? I looked in the ini file and didn't see anything.

I think my passwords are long enough and obscure, I also don't use them on any other site.

Thanks for the pointers. The block on the ehlo [127.0.0.1] had a very large impact on my problem.

Jerry

Lastly, with regards to the temporary block, is there a way to lengthen it or even make the block permanent when triggered in the transaction filter? I looked in the ini file and didn't see anything. I think my passwords are long enough and obscure, I also don't use them on any other site. Thanks for the pointers. The block on the ehlo [127.0.0.1] had a very large impact on my problem. Jerry

Rolf Lindby

posted Aug 28 '22 at 5:02 pm

The built-in blacklist isn't configurable, but you could try using my SmtpEvt daemon to get some more options. It can do automatic Spamhaus lookups as well if desired.

The built-in blacklist isn't configurable, but you could try using my [SmtpEvt daemon](http://downloads.serieguide.se/SmtpEvt.zip) to get some more options. It can do automatic Spamhaus lookups as well if desired.

cncjerry

posted Jan 12 '23 at 9:27 am

me again. One thing that was never cleared-up, simplified phishing? Does that lock the account completely or just for the offending IP address?

Example:

login CNCjerry badpass from 46.148.40.70
login CNCjerry badpass from 46.148.40.70
login CNCjerry badpass from 46.148.40.70
account locked or only locked from 46.148.40.70?

then immediately after account is locked:
login CNCjerry goodpass from 192.168.1.1 can this address login?

I've been getting hit by Iran on my two mail servers, only one is Mercury. There seems to be 5 servers in this botnet. They hit me about every 5 seconds, maybe more frequently. The log file hits 100meg in two months, for instance. So when I see it happening, and I don't check that often, i deny the entire botsubnet in an ACL on a 10Gig switch that feeds the server. Since September I've had to add about 15 addresses to the ACL, not a big hassle. When I add them everything settles down. By the way graywall really made a difference.

I can probably do this with an ACL, but is there a way to only allow logins to the mail server (authorized users) from a specific IP address range? For instance, my local subnet and then addresses on my cell network (if that is practical). If not, I think I'll figure out a way on my router.

Thanks, nothing but compliments from me. I've had so few issues for the past 21yrs, I think, I've used it.

Jerry

me again. One thing that was never cleared-up, simplified phishing? Does that lock the account completely or just for the offending IP address? Example: login CNCjerry badpass from 46.148.40.70 login CNCjerry badpass from 46.148.40.70 login CNCjerry badpass from 46.148.40.70 account locked or only locked from 46.148.40.70? then immediately after account is locked: login CNCjerry goodpass from 192.168.1.1 can this address login? I've been getting hit by Iran on my two mail servers, only one is Mercury. There seems to be 5 servers in this botnet. They hit me about every 5 seconds, maybe more frequently. The log file hits 100meg in two months, for instance. So when I see it happening, and I don't check that often, i deny the entire botsubnet in an ACL on a 10Gig switch that feeds the server. Since September I've had to add about 15 addresses to the ACL, not a big hassle. When I add them everything settles down. By the way graywall really made a difference. I can probably do this with an ACL, but is there a way to only allow logins to the mail server (authorized users) from a specific IP address range? For instance, my local subnet and then addresses on my cell network (if that is practical). If not, I think I'll figure out a way on my router. Thanks, nothing but compliments from me. I've had so few issues for the past 21yrs, I think, I've used it. Jerry

mvf

posted 5 days ago at 1:52 pm

you could try using my SmtpEvt daemon to get some more options

Hi Rolf.

The download link isn't working.
Is the 2019-03-13 version the latest one ?
Regards.

Maurício Faria

[quote="pid:54401, uid:2278"]you could try using my SmtpEvt daemon to get some more options[/quote] Hi Rolf. The download link isn't working. Is the 2019-03-13 version the latest one ? Regards. Maurício Faria

Rolf Lindby

posted 5 days ago at 3:08 pm

The download link isn't working.
Is the 2019-03-13 version the latest one ?

Thanks for pointing it out, I'll update the DNS entry so it points to the current server address shortly. In the meantime I've attached the file here. It's the most recent release.

SmtpEvt.zip

[quote="pid:57956, uid:52898"]The download link isn't working. Is the 2019-03-13 version the latest one ?[/quote] Thanks for pointing it out, I'll update the DNS entry so it points to the current server address shortly. In the meantime I've attached the file here. It's the most recent release. [SmtpEvt.zip](serve/attachment&path=68adbf4399ff0)

mvf

posted 4 days ago at 5:49 pm

Ok. Thanks.

Could you point where the blacklist list is located?
I was unable to figure it out...
I would like to use it to populate a firewall rule so these IPs doesn't even pass it.

Regards.
Maurício Ventura Faria

Ok. Thanks. Could you point where the blacklist list is located? I was unable to figure it out... I would like to use it to populate a firewall rule so these IPs doesn't even pass it. Regards. Maurício Ventura Faria

Rolf Lindby

posted 4 days ago at 11:10 pm

The list of blocked IP addresses is in program memory only I'm afraid.

Related Topics

Pending draft

Confirm move posts

Insufficient permissions

Select a different topic

Edit history